Android Question VAPT apk

falbertini · Jan 9, 2023

In a VAPT analysis I have the application that is signed with hash algorithms affected by collision vulnerabilities:

In the manifest editor of the app I have set the min sdk version to 30: android:minSdkVersion="30"
How can I do to remove the SHA-1 hash in the sign and keep only a SHA2-256 signing, as required from VAPT analysis ?
Thanks

Erel · Jan 10, 2023

I'm pretty sure that you are confusing two different things - the signing key hash function and the SHA-1 digest. The SHA-1 digest is something that is calculated on the fly.

falbertini · Jan 13, 2023

Hello Erel,

I was able to verify with jarsigner that the application isn't anymore signed using SHA1.

Despite that, I am now seeing the following warning:

This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2052-10-10) or after any future revocation date.

I would like to know how can I sign and add the timestamp in the packet.

Thank you

Erel · Jan 15, 2023

You should ignore it. It is valid until at least 2052.

Android Question VAPT apk

falbertini

Member

Erel

B4X founder

falbertini

Member

Erel

B4X founder

Similar Threads